Re: ATM machine security

2005-03-03 Thread Anne Lynn Wheeler
Lee Parkes wrote:
Hi,
I'm working on a project that requires a benchmark against which to judge
various suppliers. The closest that has similar requirements is the ATM 
industry. To this end I'm looking for any papers, specifications or published 
attacks against ATM machines and their infrastructure. I'm also looking for what
type of networks they use and the crypto they use to protect comms.
Also any standards would be good that the ATM industry has to adhere to.
messages/networks tend to be some flavor of iso8583 (used for both 
credit and debit). most associations have requirement for DUKPT (derived 
unique key per transaction) DES and transition to 3DES.

do search engine some flavor of 8583, dukpt, and/or x9 (x9 is the 
us/ansi financial standards organization ... they have some recognition 
at places like NIST where they've gotten around to saying that they no 
longer have to rewrite X9 crypto standards for FIPS ... but can directly 
reference the X9 documents).

lots of the attacks aren't directly on the ATM machines ... but on the 
cards used at ATM machines ... aka skimming attacks. there is the stuff 
about overlays on the front of ATM machines to capture information as 
the card passes thru for valid transations. the captured information is 
then used to manufactor counterfeit cards (i think there was even a 
scene on this on one of last seasons CSI tv shows).

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital Water Marks Thieves

2005-03-03 Thread Dan Kaminsky


 My complaint is against the parroting of patently absurd claims by
 manufacturers (or governments, for that matter) under the guide of
 journalism.

 If you need the reason to be concrete, here's one: I might buy this
 magic water and apply it to some of my stuff, figuring I don't have to
 shell out for a second pint because Robert Andrews has assured me the
 thieves can't determine that it's on my Thing-1 but not my Thing-2. 

There are tens of thousands of places inside a vehicle that a VIN# can
be stashed.  Sometimes you don't always want the attacker to know where
the marks are.

The point is that the thief should think anything expensive is
protected, by which I mean it's too traceable to fence.  At least right
now, this is working.  Hard to argue with success.

--Dan



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: SHA-1 results available

2005-03-03 Thread Whyte, William

 http://theory.csail.mit.edu/~yiqun/shanote.pdf
 
 No real details, just collisions for 80 round SHA-0 (which I 
 just confirmed)
 and 58 round SHA-1 (which I haven't bothered with), plus the 
 now famous work
 factor estimate of 2^69 for full SHA-1.
 
 As usual, Technical details will be provided in a 
 forthcoming paper. I'm not
 holding my breath.

A preprint was circulating at the RSA conference; Adi Shamir 
had a copy. Similar techniques were used by Vincent Rijmen
and Elizabeth Oswald, in their paper available at
.http://eprint.iacr.org/2005/010.

William

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital Water Marks Thieves

2005-03-03 Thread Matt Crawford
On Feb 22, 2005, at 10:57, Dan Kaminsky wrote:
The point is that the thief should think anything expensive is
protected, by which I mean it's too traceable to fence.
That would be the thinking of a thief who read the article and took it 
at face value.  A more clever thief would realize that the magic water 
would respond to *his* ultraviolet light just as well as the police's.  
(And in today's climate, the counter-counteraction will be a measure to 
outlaw ultraviolet lights in the hands of private citizens ...)

  Let's vary piracy / with a little burglary!
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables

2005-03-03 Thread Matt Crawford
On Feb 18, 2005, at 19:47, R.A. Hettinga wrote:
It does continue to be something of a puzzle as to how they get this 
stuff
back to home base, said John Pike, a military expert at 
GlobalSecurity.org.
I should think that in many cases, they can simply lease a fiber in the 
same cable.  What could be simpler?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Many Wireless Security Breaches Reported At (RSA) Security Conference

2005-03-03 Thread Stefan Kelm
 (As I've said many times, security breaches reported at
 conferences full of security people don't count as a
 predictor of what's out in the real world as a threat.
 But, it makes for interesting reading and establishes
 some metric on the ease of the attack.  iang)

I also recommend the brief discussion between Marcus Ranum and
Bill Cheswick on the very same topic in the aftermath of the
recent USENIX Security Symposium:

  http://www.usenix.org/publications/login/2004-12/openpdfs/wireless.pdf

Cheers,

Stefan.

Unsere Anschrift und Telefonnummer haben sich geaendert!

Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Straße 12-14, D-76137 Karlsruhe

Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
---
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


I'll show you mine if you show me, er, mine

2005-03-03 Thread R.A. Hettinga
http://www.theregister.co.uk/2005/02/21/crypto_wireless/print.html

The Register


 Biting the hand that feeds IT

The Register » Security » Identity »

 Original URL: http://www.theregister.co.uk/2005/02/21/crypto_wireless/

I'll show you mine if you show me, er, mine
By Lucy Sherriff (lucy.sherriff at theregister.co.uk)
Published Monday 21st February 2005 17:11 GMT

Security researchers have developed a new cryptographic technique they say
will prevent so-called stealth attacks against networks.

A stealth attack is one where the attacker acts remotely, is very hard to
trace, and where the victim may not even know he was attacked. The
researchers say this kind of attack is particularly easy to mount against a
wireless network.

The so-called delayed password disclosure protocol was developed by
Jakobsson and Steve Myers of Indiana University. The protocol allows two
devices or network nodes to identify themselves to each other without ever
divulging passwords.

The protocol could help secure wireless networks against fraud and identity
theft, and protect sensitive user data. The technique will be particularly
useful in ad-hoc networks, where two or more devices or network nodes need
to verify each others' identity simultaneously.

Briefly, it works like this: point A transmits an encrypted message to
point B. Point B can decrypt this, if it knows the password. The decrypted
text is then sent back to point A, which can verify the decryption, and
confirm that point B really does know point A's password. Point A then
sends the password to point B to confirm that it really is point A, and
knows its own password.

The researchers say that this will prevent consumers connecting to fake
wireless hubs at airports, or in coffee shops. It could also be used to
notify a user about phishing attacks, scam emails that try to trick a user
into handing over their account details and passwords to faked sites,
provide authentication between two wireless devices, and make it more
difficult for criminals to launder money through large numbers of online
bank accounts.

Jakobsson is hoping to have beta code available for Windows and Mac by the
spring, and code for common mobile phone platforms later in 2005.

More info available here (http://www.stealth-attacks.info). ®

Related stories

Hotspot paranoia: try to stay calm
(http://www.theregister.co.uk/2005/01/24/wi_fi_hotspot_security/)
Crypto researchers break SHA-1
(http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/)
Cyberpunk authors get the girls
(http://www.theregister.co.uk/2005/02/17/cyberpunk/)

© Copyright 2005

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


FW: ATM machine security

2005-03-03 Thread Chris Trott

 Hi,
 I'm working on a project that requires a benchmark against which to judge
 various suppliers. The closest that has similar requirements is the ATM
 industry. To this end I'm looking for any papers, specifications or 
 published attacks against ATM machines and their infrastructure. I'm also
 looking for what type of networks they use and the crypto they use to
 protect comms. Also any standards would be good that the ATM industry has
 to adhere to.

My Apologies to the original poster here, but does this seem like a little
human engineering to anyone else? 

I mean sounds to me like your project is a search for weakness in the ATM
system in preparation for an attack, or have I misjudged and you are the
well meaning integrating party who have commissioned a number of 'suppliers'
build a new ATM system (or ATM like system) while methodically attempting to
avoid past errors. 

If you are accepting bids from suppliers who already produce ATMs ie NEC or
the like, how would your request help ? would you be expecting them to
subvert the existing standards to prevent attacks ?

Interestingly,  I think the comment was tossed around here a few weeks ago,
that building a new 'atm system' wouldn't be possible these days, given the
competing standards, differing levels of what would be considered secure
etc. 

Just curious, or was it paranoid, - who said that ?


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: I'll show you mine if you show me, er, mine

2005-03-03 Thread James A. Donald
--
On 24 Feb 2005 at 2:29, Peter Gutmann wrote:
 Isn't this a Crypto 101 mutual authentication mechanism (or
 at least a somewhat broken reinvention of such)?  If the
 exchange to prove knowledge of the PW has already been
 performed, why does A need to send the PW to B in the last
 step?  You either use timestamps to prove freshness or add an
 extra message to exchange a nonce and then there's no need to
 send the PW.  Also in the above B is acting as an oracle for
 password-guessing attacks, so you don't send back the
 decrypted text but a recognisable-by-A encrypted response, or
 garbage if you can't decrypt it, taking care to take the same
 time whether you get a valid or invalid message to avoid
 timing attacks.  Blah blah Kerberos blah blah done twenty
 years ago blah blah a'om bomb blah blah.

 (Either this is a really bad idea or the details have been
 mangled by the Register).

It is a badly bungled implementation of a really old idea.

An idea, which however, was never implemented on a large scale,
resulting in the mass use of phishing attacks.

Mutual authentication and password management should have been
designed into SSH/PKI from the beginning, but instead they
designed it to rely wholly on everyone registering themselves
with a centralized authority, which of course failed.

SSH/PKI is dead in the water, and causing a major crisis on
internet transactions.  Needs fixing - needs to be fixed by
implementing cryptographic procedures that are so old that they
are in danger of being forgetten.

 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 Dn3N69hcbr+mL/HUTw8OhGtKmD9rHYOMN4NTBkIY
 47AOCXrb7e35xm5QBsHbFVr/jfm+XwTUvzdiytKpG


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: I'll show you mine if you show me, er, mine

2005-03-03 Thread R.A. Hettinga

--- begin forwarded text


To: [EMAIL PROTECTED]
Subject: Re: I'll show you mine if you show me, er, mine
Date: Wed, 23 Feb 2005 12:14:04 -0800 (PST)
From: [EMAIL PROTECTED] (Hal Finney)
Sender: [EMAIL PROTECTED]

Markus Jakobsson is a really smart guy who's done some cool stuff, so I
think this is probably better than it sounds in the article.  His web
site is http://www.informatics.indiana.edu/markus/ but I don't see any
papers there that sound like what the article describes.  I tried to
reverse engineer the protocol from the article, and the results are below.
But first let me put this into context.

The security property seems to be that you send something to the server,
and it sends you back something that proves that it knows your password.
But neither a passive eavesdropper nor a MITM can learn anything about
your password from observing or influencing the exchange.  The best an
attacker can do is to try to brute force your password by guessing it
repeatedly and trying each guess out at the server.  And this can be
easily prevented by having the server refuse to answer more than a few
bad password attempts.

Note that this is different from simple PK based authentication,
because the secret is human memorizable.  And it's different from,
say, having the server respond with a keyed hash of your passphrase,
because an eavesdropper could then do an offline brute force search.
The key feature is that the only attack is online brute forcing.

There are already a lot of protocols in the literature which do this,
often performing key agreement at the same time.  The original one
and most famous was SPEKE.  There is a long list of such protocols at
http://grouper.ieee.org/groups/1363/passwdPK/submissions.html.  I don't
know what properties this new protocol has that the old ones don't.
Maybe it does have some and I am missing the point.  Or there might be
some patent issues that it is trying to work around.

Anyway, here's my attempt at mimicking the protocol, based on the
description of envelopes and carbon paper.

You have a password, and so does the site you will login to.  (Or,
maybe the site has a salted hash of your password; you could use that
instead.)  You set up a homomorphic encryption system.  This is one where
you can send an encrypted value to someone else, and he can do certain
operations on the encrypted value, like multiplying it by a constant.
In this case I think we only need to encrypt the value 1, and let the
other guy multiply by his constant, which makes it simpler.

I think ElGamal could work: you encrypt 1 as (g^k, y^k), where you'd
make up a key y = g^x on the spot.  You send this to the other guy who
picks a random power j and raises both elements to that power, then
multiplies the 2nd one by c: (g^(k*j), y^(k*j) * c), and sends it back
to you.  This is now a valid ElGamal encryption of c.  But an observer
can't tell what c is.

For a first cut at this protocol, you take each bit of the password (or
salted hash) and create two encryptions of m = 1.  It would look like
this:

E(1)   E(1)   E(1)   E(1)   E(1)  ...
E(1)   E(1)   E(1)   E(1)   E(1)  ...

You send all these to the server.  The server knows your password (or
salted hash) and, for each pair of encrypted values, multiplies the
one corresponding to password bit b_i by some constant c_i.  The other
one of the pair, corresponding to !b_i, it multiplies by a random r_i.
The server sets it up so that the sum of all the c_i is zero.  Then it
sends all of them back to you.  If your passphrase started 01101...
it would be:

E(c_1)   E(r_2)   E(r_3)   E(c_4)   E(r_5)  ...
E(r_1)   E(c_2)   E(c_3)   E(r_4)   E(c_5)  ...

Now, you decrypt just the ones corresponding to the bits b_i and add up
the decrypted plaintexts, giving you sum of c_i.  If the result is zero,
you know the server knew your password (or salted hash).

Actually this is not quite right, because the article says that you are
not supposed to be able to decrypt both ciphertext values in the pair
that corresponds to a password bit.  Otherwise an imposter might be able
to figure out your passphrase by doing one interaction with the server,
then finding an element from each pair such that they all sum to zero.
This is kind of knapsacky and it might not be that hard, I'm not sure.

So I think what you could do is to send a valid ElGamal encryption of
1, and a bogus value which is not an ElGamal encryption of anything.
But the remote party wants to be sure that you can't decrypt them both.
One way to achieve this is to arrange that the first members of each pair,
g^k in the good encryption, multiply to some fixed value F for which the
discrete log is not known.  Maybe it's the hash of I don't know if this
will work.  You can't know the DL of that hash, so you can't find two
g^k values which multiply to that hash.  That means that if you have a
pair of ElGamal ciphertexts which have this property, only one is a real,
valid ElGamal ciphertext and so only one is 

Re: SHA-1 results available

2005-03-03 Thread Florian Weimer
* Jack Lloyd:

 http://theory.csail.mit.edu/~yiqun/shanote.pdf

Thanks for the pointer.

 No real details, just collisions for 80 round SHA-0 (which I just confirmed)
 and 58 round SHA-1 (which I haven't bothered with), plus the now famous work
 factor estimate of 2^69 for full SHA-1.

 As usual, Technical details will be provided in a forthcoming paper. I'm not
 holding my breath.

In addition, there's no trace of the second-preimage attack some
persons recently alluded to.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [IP] One cryptographer's perspective on the SHA-1 result

2005-03-03 Thread Steven M. Bellovin
Burt Kaliski posted the following to Dave Farber's IP list.  I was 
about to post something similar myself.

Beyond that, it is now clear that the industry needs an open evaluation
process -- like the Advanced Encryption Standard competition -- to establish
a new hash function standard for the long term, or at least an alternative
if SHA-256 and above turn out still to be good enough after review.


As he quite eloquently pointed out, we have a near-monoculture of hash 
algorithms.  Virtually every well-known hash algorithm, with the 
exception of Whirlpool, is derived from MD2/MD4/MD5.  At the time SHA-0 
was released, in fact, there was a great deal of speculation that NSA 
had copied Rivest's framework to avoid disclosing any new principles 
for hash function construction.

I have no idea if that's true or not.  As we all know, even NSA found 
SHA more problematic than they would have hoped; witness the release of 
SHA-1 not all that long afterwards.

When NIST released SHA256/384/512 shortly after AES, but without a 
public competition, the word was that they didn't have the resources to 
run two simultaneous large-scale, open processes.  That's a fair 
statement, and given the choice between an openly-chosen encryption 
algorithm and an openly-chosen hash function I think most of us would 
have made the same decision.

I don't know if there's quite the need for open process for a hash 
function as there was for a secrecy algorithm.  The AES process, after 
all, had to cope with the legacy of Clipper and key escrow, to say 
nothing of the 25 years of DES paranoia that was only laid to rest by 
the reinvention of differential cryptanalysis.  (The Deep Crack machine 
only confirmed another part of the paranoia, of course, but the 
essential parameter it exploited -- key size -- was both obviously 
insufficient in 1979 and obviously sufficient from the requirements of 
the AES competition.)  It is clear, as Burt said, that we need a 
large-scale effort to produce new and better hash functions.  To try to 
repair the MD*/SHA* family is to risk the cry of epicycles.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


FW: [IP] One cryptographer's perspective on the SHA-1 result

2005-03-03 Thread Trei, Peter
Full disclosure: Burt Kaliski and I share an employer.

Peter Trei

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf
Of David Farber
Sent: Wednesday, February 23, 2005 7:48 PM
To: Ip
Subject: [IP] One cryptographer's perspective on the SHA-1 result



From: Kaliski, Burt [EMAIL PROTECTED]
Subject: One cryptographer's perspective on the SHA-1 result
To: [EMAIL PROTECTED]
Date: Wed, 23 Feb 2005 19:43:43 -0500

Hi Dave --

As you might expect, the recent breakthrough on SHA-1 hash was a topic of
widespread discussion at the annual RSA Conference last week in San
Francisco.  Commercial cryptography is one of few fields in IT which has
totally absorbed the open review process.  We know from experience that an
ongoing and aggressive analysis of our current technology, searching out
potential weaknesses, is a critical part of the process by which we
strengthen it for the future.

RSA Laboratories has just posted a brief note on the recent SHA-1 result, to
supplement our earlier notes about MD5 and other hashes, at
http://www.rsasecurity.com/rsalabs.

In my opinion, the latest result on SHA-1 -- once confirmed -- will be one
of the most significant results in cryptanalysis in the last decade.  Hard
work indeed brings a profit, as the proverb says, and the perseverance of
Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu appears to have paid off with
this unexpected special attack on SHA-1 that can find collisions in less
than the promised 2^80 threshold.

It is a delight to congratulate the Shandong University team on their
achievement, and especially Dr. Yiqun Lisa Yin, for many years my colleague
at RSA Laboratories, and one of the co-inventors of RSA Security's RC6 block
cipher.

This attack seems to have uncovered an unexpected weakness in one of the
essential properties of SHA-1, a one-way hash function with a 160-bit
output.  Essentially, this new research suggests that it is considerably
less difficult than expected to create two somewhat different data files
that can be reduced and compressed to an identical hash value.
Cryptographers call these collisions in hash outputs.

A hash function takes a variable-length digital input and coverts it into a
fixed-length pseudo-random hash value that can serve as a useful
fingerprint for the input file.  A one-way hash function like SHA-1 is
easy to compute in one direction, but it's very difficult to reconstitute
the initial file from the hash value.  A good hash function is also expected
to be collision-free. That is, it should be hard to generate two input
files which, put through the hash function, generate the same hash value.
(Hash functions collisions must exist, of course, since the hash inputs can
be longer than the outputs -- but the design goal is to make them hard to
find in practice.)

These attributes have made the one-way hash one of the most useful
primitives in modern cryptography.  Hash functions are, for example,
essential in deriving message authentication codes (MACs) and message
digests, the small file that is actually cryptographically signed to
create a digital signature for larger files, in a typical public key
crypto application.

MIT Professor Ron Rivest, one of the founders of RSA Security, created three
one-way hashes that were widely used by cryptographers over the past 20
years (MD2, MD4, and MD5), but each of those was eventually deprecated as
subtle weaknesses were discovered that suggested that the internal design
was less robust than desired against potential future attacks.

Any successful attack on SHA-1 based on the new result would still involve a
huge amount of computer processing, so this latest research is unlikely (as
many have said) to have any significant impact on past or current
applications.  It is, however, a wake-up call for cryptographers and the
industry leaders concerned with the long-term vitality of our technology.

The SHA (aka SHA-0) hash function was developed for the US government in
1995 for use within the Digital Signature Standard.  Its design was based on
MD4.  SHA was upgraded to SHA-1 early in its life cycle, apparently to
address undisclosed weaknesses discovered by the NSA, and today SHA-1 is the
industry standard.  It is widely used and has been trusted by both
developers and applied crypto engineers, although routine efforts to enhance
SHA-1 with longer output values have led to the quiet development of
SHA-256, SHA-385, and SHA-512 as design options for long-term applications.

Although RSA Security, and most standards organizations, have recommended
the use of SHA-1 for several years, Rivest's MD5 is still widely used in
many applications despite research in the 1990s that discovered pseudo
collisions within the internal operations of MD5.  Then, last summer, there
were additional results on MD5 that led many cryptographers to urge the
abandonment of MD5 for SHA-1, which had withstood a great deal of analysis
and was widely believed to be still secure.

It is easy to 

Chatter Punks

2005-03-03 Thread R.A. Hettinga

--- begin forwarded text


Date: Thu, 24 Feb 2005 12:25:10 -0800
To: [EMAIL PROTECTED]
From: John Young [EMAIL PROTECTED]
Subject: Chatter Punks
Sender: [EMAIL PROTECTED]

Maybe it's been mentioned here but the book, Chatter: Dispatches
from the Secret World of Global Eavesdropping, by Patrick Radden
Keefe mentions cypherpunks and a slew of people who've been around
here, or discussed, cited, admired, attacked and hated here.

Crypto is featured, along with the TLAs, the fools who run them, the
lackies who suck their tits, the congress critters who give them a free
pass no matter what fuck-ups damage the US and the unwary targets
of spooks, 9/11 only one of many.

It's a lively read, and a lot of its smooth-narrative content won't be
new to avid readers of disputatious, thankfully ungrammatically
cpunks, but it does get the slick word out to the public in an easy
to swallow fashion.

For us jacket addicts, there are favorable blurbs by David Kahn and
Seymour Hersh.

Keefe calls John Gilmore, Duncan Campbell, and other uninstitutionalized
insurgents outcasts, but IEDs are where it's at, right?

He also claims the NSA is a pitiful giant, protected against
change by ever increasing secrecy blessed by congress and
the administration, and that most of its new hires are security
guards to protect against knowing what's inside, not the
personnel truly needed.

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


No Encryption for E-Passports

2005-03-03 Thread R.A. Hettinga
http://www.wired.com/news/print/0,1294,66686,00.html

Wired News


No Encryption for E-Passports 
By Ryan Singel?

Story location: http://www.wired.com/news/privacy/0,1848,66686,00.html

02:00 AM Feb. 24, 2005 PT

Despite widespread criticism from security experts that a proposed
high-tech upgrade to Americans' passports actually introduces new security
risks, the government is declining to encrypt data on new high-tech
e-passports, according to proposed new rules published last week.

 In response to this outside criticism and some public questioning by one
of its own contractors, the State Department delayed its rollout of the
chip-equipped passports and hired additional companies to provide
prototypes.


 Other countries are also wrangling with the issue, as the United States is
requiring all 27 countries whose citizens do not need visas to visit
America to begin issuing e-passports by October.

 So far only Belgium has started production, and it is likely the deadline,
which was originally October 2004, will be pushed back another year.

 The new passports will include a radio frequency identification tag, a
chip that will store all the information on the data page of the passport,
including name, date and place of birth, and a digitized version of the
photo passport, according to the proposal in the Federal Register.

 RFID chips are widely used in automatic toll-payment systems such as
FasTrak, or identification chips implanted in the necks of pets.

 The chips are activated by a reader using certain radio frequency waves,
which the chips use as an energy source to send back the encoded
information.

 Border agents, equipped with readers, would be able to pull up passport
information on a screen and visually compare the digitized photo against
the passport bearer.

 Agents will also be able to use facial identification software to compare
the person to the digitized photo, which is not feasible with current
passports.

 The State Department, which has responsibility for passports and visas,
hopes the measure will improve security and help curb passport forgery.

 The government will use chips that can only be written to once, and a
further safeguard is provided in the form of a digital signature, which
allows readers to verify that the information on the chip is the
information originally written to it.

 But the rules, which are open for comment until April 4, rule out
encrypting the bearer's name, birth date and digital photo, saying such a
move would impede worldwide adoption of e-passports and that encrypted data
would slow down entry and exit at customs.

 The lack of encryption baffles privacy advocates and security researchers,
who say the new passports are vulnerable to skimming, an attack that uses
an unauthorized reader to gather information from the RFID chip without the
passport owner's knowledge.

 The State Department concedes that skimming is a legitimate threat, but
says the chips will have a read range of inches, that eavesdropping at
border stations would be very conspicuous and that the passports will have
a shielding mechanism -- perhaps a foil case or a weave in the cover that
will cloak the chip when the passport is closed.

 That does little to satisfy critics such as Lee Tien, an attorney at the
Electronic Frontier Foundation.

 The State Department has not responded in any meaningful way to any of
the privacy community, Tien said. They are offering the equivalent of
duct tape and baling wire as far (as) protecting peoples' information from
being read.

 It is my understanding it's possible to read this information from 10 to
30 feet away with the right equipment, Tien said. When you think about
the issues Americans have, especially when they travel abroad -- do you
really want your passport to be broadcasting your name and nationality?
This isn't good for privacy or the physical security of Americans abroad.

 Bruce Schneier, a security expert and author who founded Counterpane
Internet Security, questions how much shielding helps, since travelers
often have to show identification to exchange currency or check into a
hotel.

 Shielding is a good idea, but the problem is if you travel in Europe you
are asked to show your passport a lot, Schneier said. So all that
shielding means is that someone who wants to sniff my passport just has to
pick his location.

 Schneier, who just renewed his passport to make sure he will not have an
unencrypted passport for another 10 years, says he has yet to hear a good
argument as to why the government is requiring remotely readable chips
instead of a contact chip -- which could hold the same information but
would not be skimmable.

 A contact chip would be so much safer, Schneier said. The only reason I
can think of is the government wants surreptitious access. I'm running out
of other explanations. I'd love to hear one.

 Not everyone in the RFID industry thinks the proposed rules compromise
security more than they help.

 The goal is to 

When paying with plastic, why swipe? Just wave

2005-03-03 Thread R.A. Hettinga
http://news.zdnet.com/2102-9588_22-5589512.html?tag=printthis

ZDNet News


 By Alorie Gilbert
 URL: http://news.zdnet.com/2100-9588_22-5589512.html
Tired of having to swipe and sign every time you use a credit card?

 Visa is hoping to simplify the process of paying with plastic with a new
payment technology it introduced Thursday. With the company's new
contactless system, consumers need only wave credit and debit cards
within a few inches of a reader to complete a purchase. And for purchases
of less than $25, no signature is required.

 The technology will be more convenient for merchants and consumers alike
by reducing checkout times and lines, Visa executives said. It's also
designed to be an easy alternative to cash for small purchases such as a
soda or pack of gum.

 Our hope is that the contactless payment feature will drive added
convenience and speed to consumers, said Niki Manby, vice president of
market and technology innovation at Visa USA. You no longer need to swipe
or hand over your card.

 But don't go waving your credit and debit cards around just yet. Visa must
first convince merchants and card issuers to use new equipment. For
merchants, that means purchasing new card readers. For banks, it means
introducing special cards capable of transmitting account data via radio
signal rather than magnetic stripe. So far, no card issuers are offering
them, Manby said.

 With 5.6 million merchants in the United States, Visa will need some time
to phase out its old system.

 It's not something retailers will do lightly overnight, said Pennie
Gillespie, a Forrester Research analyst.

 Visa is not alone in the endeavor. MasterCard and American Express also
are experimenting with contactless cards. MasterCard has been doing field
tests in Florida, while American Express is doing trials in Arizona and New
York. The companies are using compatible technology, so merchants can use
the same card readers for all three systems. Merchants just need to install
an extra bit of software to make it all work together, said Patrick
Gauthier, senior vice president of new product development at Visa.

 Visa and its rivals have some obstacles to overcome before the technology
becomes more mainstream, Gillespie said. Not only must they convince
merchants to buy new readers, they must assure consumers that the
new-fangled cards are every bit as secure as the old ones in an age of
identity theft and high-tech hacking.

 Security is a question, Gillespie said. How easy is it for someone to
interact with a wireless communication and pick up a number?

 Visa designed its system to be highly secure, with multiple layers of
encryption and fraud detection, Gauthier said. Each transmission between
card and reader has a unique code that cannot be reused even if it is
intercepted, a key security feature, he said. In addition, consumers have
no liability for fraudulent charges with the new cards as with the old
ones, Gauthier added.

 Security is at the core of our business, Gauthier said. We are fully
confident that the platform we have developed is as secure as any form of
Visa cards today.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Senators Boxer, Clinton Unveil Count Every Vote Act of 2005

2005-03-03 Thread R.A. Hettinga
http://dailykos.com/story/2005/2/26/204031/168


Daily Kos ::

 Political Analysis and other daily rants on the state of the nation.

 Senators Boxer, Clinton Unveil Count Every Vote Act of 2005
by Hunter
 Sat Feb 26th, 2005 at 17:40:31 PST

 The email alerts on this were sent out last week. In case you missed it,
here's the press release from Boxer.

WASHINGTON, DC- U.S. Senators Hillary Rodham Clinton (D-NY) and Barbara
Boxer (D-CA) today unveiled comprehensive voting reform legislation to make
sure that every American is able to vote and every vote is counted.
Senators Clinton and Boxer announced the legislation today in a press
conference joined by Representative Stephanie Tubbs Jones (D-OH), who will
sponsor the legislation in the House of Representatives, and voting rights
advocates. [...]

The Count Every Vote Act of 2005 will provide a voter verified paper ballot
for every vote cast in electronic voting machines and ensures access to
voter verification for all citizens, including language minority voters,
illiterate voters and voters with disabilities. The bill mandates that this
ballot be the official ballot for purposes of a recount. The bill sets a
uniform standard for provisional ballots so that every qualified voter will
know their votes are treated equally, and requires the Federal Election
Assistance Commission to issue standards that ensure uniform access to
voting machines and trained election personnel in every community. The bill
also improves security measures for electronic voting machines.

To encourage more citizens to exercise their right to vote, the Count Every
Vote Act designates Election Day a federal holiday and requires early
voting in each state. The bill also enacts no-excuse absentee balloting,
enacts fair and uniform voter registration and identification, and requires
states to allow citizens to register to vote on Election Day. It also
requires the Election Assistance Commission to work with states to reduce
wait times for voters at polling places. In addition, the legislation
restores voting rights for felons who have repaid their debt to society.

 The Count Every Vote Act also includes measures to protect voters from
deceptive practices and conflicts of interest that harm voter trust in the
integrity of the system. In particular, the bill restricts the ability of
chief state election officials as well as owners and senior managers of
voting machine manufacturers to engage in certain kinds of political
activity. The bill also makes it a federal crime to commit deceptive
practices, such as sending flyers into minority neighborhoods telling
voters the wrong voting date, and makes these practices a felony punishable
by up to a year of imprisonment.

 Boxer, Clinton, and Tubbs Jones deserve our support on this one -- the
Republican strategy will be to attempt to ignore this completely, and bury
it long before it could ever reach the floor. Let's make that a painful
strategy to have, by singling out each opponent of voting reform as they
fling themselves in front of this bus.

 Having accurate vote counts should not be a partisan issue. The fact that
it is says volumes about the cowardice and reliance on grass-roots
thuggery of the current Republican party.  And yeah, Jeb -- I'm talking
about you.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


SpookAir, redux: No Secrets -- Eyes on the CIA

2005-03-03 Thread R.A. Hettinga
http://www.msnbc.msn.com/id/7037720/site/newsweek/print/1/displaymode/1098/
  MSNBC.com

No Secrets: Eyes on the CIA
Newsweek


March 7 issue - Aviation obsessives with cameras and Internet connections
have become a threat to cover stories established by the CIA to mask its
undercover operations and personnel overseas. U.S. intel sources complain
that plane spotters-hobbyists who photograph airplanes landing or
departing local airports and post the pix on the Internet-made it possible
for CIA critics recently to assemble details of a clandestine transport
system the agency set up to secretly move cargo and people-including
terrorist suspects-around the world.

Google searches revealed that plane spotters Web-posted numerous photos of
two private aircraft-one a small Gulfstream jet and the other a midsize
Boeing 737-registered to obscure companies suspected of CIA connections.
Some of the pictures were taken at airports in foreign countries where CIA
activities could be controversial. When the 737 last year went through a
change of tail number and ownership-a suspicious company in suburban Boston
apparently transferred the plane to a similar company in Reno,
Nev.-Internet searches of aviation and public-record databases disclosed
details of the plane's new owners and registration number. One critical
database, accessible via Google, was a central aircraft registry maintained
by the government's own Federal Aviation Administration. A U.S. intel
source acknowledged that the instant availability of such data and photos
on the Internet is not helpful if your object is clandestinity. (To see
how it works, check the Web for info on a business jet carrying the
Liechtenstein tail number HB-IES. The search should turn up pictures of
that plane at a European airport, as well as public records and news
stories describing how the plane, registered to a company called Aviatrans,
once belonged to Saddam Hussein.)

Intel sources say the CIA's own lawyers years ago decreed that under U.S.
law the agency must register its aircraft-including their tail numbers and
the front companies that own them-with public authorities like the FAA,
even though this could provide clues to clandestine activity. Agency
officials and lawyers have discussed the possibility of changing U.S. laws
and regulations to make it easier for the agency to hide its activities.
That may be difficult, so for now, plane spotters can keep their eyes on
the CIA.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Italian GSM provider warns: too many wiretaps

2005-03-03 Thread R.A. Hettinga
Mr-Rogers Now, boys and girls, try not to laugh *too* hard, and be sure
you swallow your Wheaties before you read this... /M-R

Cheers,
RAH
---

http://www.edri.org/edrigram/number3.4/wiretap

| EDRI
EDRI-gram » EDRI-gram - Number 3.4, 24 February 2005

Italian GSM provider warns: too many wiretaps
24 February, 2005
 »
Privacy | Wiretapping


The Italian mobile operator TIM, one of the largest mobile phone companies
in Italy has issued a unique warning that the number of wiretaps has
reached the limit. In a fax sent to all Italian public prosecutors they say
that they have already over-stretched their capacity from 5.000 to 7.000
simultaneously intercepted mobile phones. New requests now have to be
processed on a 'first come first serve' basis, they write.

 Even more unique in the current secretive environment of law enforcement,
the Italian Minister of Justice Roberto Castelli (right-wing Lega Nord) has
provided the newspaper Repubblica with statistics about the number of
wiretaps and costs. The number of wiretaps has doubled every two years, he
said, from 32.000 intercepts in 2001, to 45.000 in 2002, to 77.000 in 2003.
He estimates the number of wiretaps in 2004 to be 100.000, costing the
Justice department aprox 300.00 million euro in cost reimbursements. In
2003 the department of Justice spent 225 million euro on the intercepts, in
2002 230 million and in 2001 165 million.

 Castelli admitted the number of police intercepts in Italy was very high.
Currently Italy has aprox 58 million inhabitants. With 100.000 intercepts
in 2004, Italy orders 172 judicial intercepts per 100.000 inhabitants.
There is no information about wiretaps ordered by secret services in any
country.

 Castelli referred to the report of the German Max Planck Institute which
already concluded Italy was the wiretapping champion of the (western) world
with 76 intercepts per 100.000 inhabitants (44.000 wiretaps in 1996). The
number two on the European wiretapping list in 1996, the Netherlands,
refuses to provide any recent statistics. According to unofficial estimates
the Netherlands intercepted 12.000 phones (fixed and mobile) in 2004. If
those numbers are correct, the Netherlands have 75 intercepts per 100.000
inhabitants. In the United States, the most recent public statistics date
from 2002. They mention 1.273 court ordered intercepts on a population of
aprox 293 million, totalling 0,43 intercepts per 100.000 inhabitants. The
UK Communication Commissioner mentions a total of 1.983 warrants for
intercepts in 2003 on a population of 59,5 million, totalling 3,3
intercepts per 100.000 inhabitants.

 One possible explanation for the explosion of the number of wiretaps in
Italy is their short duration. An order is valid for 15 days and can only
be extended with a new motivation from a magistrate. Only for
investigations into organised crime an intercept can last 40 days. In many
other countries, intercepts have a duration of 1 to 3 months.

 Vodafone and Wind, two other major mobile phone companies, are also
reaching their maximum wiretapping capacity, reports Repubblica. While
Castelli used the occasion to warn against overuse of wiretapping in
investigations, the Italian magistracy doesn't seem to agree. Edmondo Bruto
Liberati, President the National Association of Magistrates (association of
both judges and public prosecutors) stressed that wiretapping is much
cheaper than individual covert surveillance. He complained about the vast
under-financing the judicial apparatus is currently suffering from.

 This public debate between the Minister and the magistracy points at a
more fundamental division in Italian politics. By stressing the immense
costs of wiretapping the Minister of Justice adds weight to his attempt to
shift the costs to the Ministry of Internal Affairs. Generally the Minister
pictures an image of a foolish magistracy that abundantly spends public
money. This comes as no surprise to many Italians, given the tense
relationship between Berlusconi and the magistracy.

 MP Giovanni Russo Spena (left wing opposition, Rifondazione Comunista) has
demanded an explanation from the government about the massive use of
wiretapping in investigations and wishes to be informed how citizens are
protected against this potential and actual invasion of their privacy
rights.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


SpookAir, redux: No Secrets -- Eyes on the CIA

2005-03-03 Thread James A. Donald
--
On 27 Feb 2005 at 18:53, R.A. Hettinga wrote:
 March 7 issue - Aviation obsessives with cameras and Internet 
 connections have become a threat to cover stories established 
 by the CIA to mask its undercover operations and personnel 
 overseas. U.S. intel sources complain that plane 
 spotters-hobbyists who photograph airplanes landing or 
 departing local airports and post the pix on the 
 Internet-made it possible for CIA critics recently to 
 assemble details of a clandestine transport system the agency 
 set up to secretly move cargo and people-including terrorist 
 suspects-around the world.

Brinworld:  They may be watching us, but we are also watching 
them.

The large number of surveillance cameras popping up in American 
cities has turned out to be no threat to liberty.  Most of them 
are privately owned, and their private owners have no 
inclination to review their records, unless a real crime has 
been committed, and no inclination to hand over to authorities 
records that would primarily reveal their own activities.  In 
recent incidents where private surviellance camera records were 
given to authorities, the authorities received only selected 
excerpts, only what the owner of the records chose to reveal. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 PS5fDA87MKS6uCbiF0gJ/R+39ekRuwLazrAsTyAa
 4MxSlekoFzNrLXER1RoAItoikUPxKn3udKQokRxkB



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Colliding X.509 Certificates

2005-03-03 Thread Weger, B.M.M. de
Hi all,

We announce the construction of two different valid X.509 certificates
that have identical signatures. This is based on MD5 collisions.

One could e.g. construct the to-be-signed parts of the certificates,
and get the one certificate signed by a CA. Then a valid signature for 
the other certificate is obtained, while the CA has not seen proof of 
possession of the private key of this second certificate. 

The certificates we constructed can be downloaded from
http://www.win.tue.nl/~bdeweger/CollidingCertificates/.
From this site some more technical information can be downloaded as
well.

We provide a short paper explaining in detail our method.
It is available on the website, and on the Cryptology ePrint Archive,
at http://eprint.iacr.org/2005/067.

This is joint work with Arjen Lenstra (Lucent Bell Labs and TU
Eindhoven)
and Xiaoyun Wang (Shandong University).

Grtz,
Benne de Weger

= 
Technische Universiteit Eindhoven 
Coding  Crypto Groep 
Faculteit Wiskunde en Informatica 
Den Dolech 2 
Postbus 513 
5600 MB Eindhoven 
e-mail: [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] 
www: http://www.win.tue.nl/~bdeweger 
= 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


MD5 collision in X509 certificates

2005-03-03 Thread Ben Laurie
Cute. I expect we'll see more of this kind of thing.
http://eprint.iacr.org/2005/067
Executive summary: calculate chaining values (called IV in the paper) of 
first part of the CERT, find a colliding block for those chaining 
values, generate an RSA key that has the collision as the first part of 
its public key, profit.

BTW, reading this made me notice that Dan Kaminsky's attacks are wrong 
in detail, if not in essence. Because the output of the MD5 block 
function depends on the chaining values from previous blocks, it is not 
the case that you can prepend arbitrary material to your colliding 
block, as he claims. However, you can (according to the paper above) 
generate collisions with any IV, so if you know what the prepended 
material is, then Kaminsky's attack will still work.

Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: MD5 collision in X509 certificates

2005-03-03 Thread Dan Kaminsky
Ben,

Semantic gap, and I do apologize if I didn't make this clear.  Wang
adapts to any initial state, so you can create arbitrary content to
prepend your collision set with, adapt to its output, and then append
whatever you like.  The temporal ordering is indeed important though;
you can't create the doppelganger set before you know what's prepended
to it.

The fact that we can have arbitrary content adapted to allows for a
critical expansion of the applied risks (i.e. we wouldn't be seeing
colliding certs w/o it).  I don't think it's fair to say my attacks --
in some vague, general sense -- are wrong, given what was at best a
small difference in interpretation.

The x.509 cert collision is a necessary consequence of the earlier
discussed prime/not-prime collision.  Take the previous concept, make
both prime, and surround with the frame of an x.509 cert, and you get
the new paper.  Still nice to see...Rescorla specifically thought it
wasn't possible.  I look forward to actually having the code to work on
this myself.
 
--Dan


Ben Laurie wrote:

 Cute. I expect we'll see more of this kind of thing.

 http://eprint.iacr.org/2005/067

 Executive summary: calculate chaining values (called IV in the paper)
 of first part of the CERT, find a colliding block for those chaining
 values, generate an RSA key that has the collision as the first part
 of its public key, profit.

 BTW, reading this made me notice that Dan Kaminsky's attacks are wrong
 in detail, if not in essence. Because the output of the MD5 block
 function depends on the chaining values from previous blocks, it is
 not the case that you can prepend arbitrary material to your colliding
 block, as he claims. However, you can (according to the paper above)
 generate collisions with any IV, so if you know what the prepended
 material is, then Kaminsky's attack will still work.

 Cheers,

 Ben.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: MD5 collision in X509 certificates

2005-03-03 Thread Ben Laurie
Dan Kaminsky wrote:
The x.509 cert collision is a necessary consequence of the earlier
discussed prime/not-prime collision.  Take the previous concept, make
both prime, and surround with the frame of an x.509 cert, and you get
the new paper.
Actually, not - an RSA public key is not prime. Generating colliding 
public keys takes quite a bit more work.

Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: MD5 collision in X509 certificates

2005-03-03 Thread Dan Kaminsky
Ben Laurie wrote:

 Dan Kaminsky wrote:

 The x.509 cert collision is a necessary consequence of the earlier
 discussed prime/not-prime collision.  Take the previous concept, make
 both prime, and surround with the frame of an x.509 cert, and you get
 the new paper.


 Actually, not - an RSA public key is not prime. Generating colliding
 public keys takes quite a bit more work.

*laughs* Yes, I suppose it would be difficult for pq to be prime now
wouldn't it :)

So they've basically solved:

md5(pq) == md5(p'q')

For integer values of p, q, p' and q'.  You are right, this is much more
work.

--Dan


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


FYI: paper about Metcalfe's Law

2005-03-03 Thread R.A. Hettinga

--- begin forwarded text


Date: Wed, 2 Mar 2005 23:20:58 -0600 (CST)
From: Andrew Odlyzko [EMAIL PROTECTED]
To: Andrew Odlyzko [EMAIL PROTECTED]
Subject: FYI: paper about Metcalfe's Law

Dear Colleagues,

Sorry for the spam, but I thought you might be interested in the
paper described below.  Comments are invited.

Andrew




 A refutation of Metcalfe's Law
  and a better estimate for the value
   of networks and network interconnections


Andrew Odlyzko
   Digital Technology Center
University of Minnesota
[EMAIL PROTECTED]


Benjamin Tilly
   [EMAIL PROTECTED]



  Abstract

Metcalfe's Law states that the value of a communications network
is proportional to the square of the size of the network.  It is
widely accepted and frequently cited.  However, there are several
arguments that this rule is a significant overestimate.  (Therefore
Reed's Law is even more of an overestimate, since it says that the
value of a network grows exponentially, in the mathematical sense,
in network size.) This note presents several quantitative arguments
that suggest the value of a general communication network of size n
grows like n*log(n).  This growth rate is faster than the linear
growth, of order n, that, according to Sarnoff's Law, governs the
value of a broadcast network.  On the other hand, it is much slower
than the quadratic growth of Metcalfe's Law, and helps explain the
failure of the dot-com and telecom booms, as well as why network
interconnection (such as peering on the Internet) remains a
controversial issue.




   FULL PAPER AT:

   http://www.dtc.umn.edu/~odlyzko/doc/metcalfe.pdf

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: FUD about CGD and GBDE

2005-03-03 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Thor Lancelot Simon writes:
On Thu, Mar 03, 2005 at 05:31:34PM +0100, Poul-Henning Kamp wrote:
 In message [EMAIL PROTECTED], ALeine writes:
 
 Not necessarily, if one were to implement the ideas I proposed
 I believe the performance could be kept at the same level as now.
 
 I gave up on journalling myself because IMO it complicates
 things a lot and the problem it solves is very very small.
 
 The impact in disk seeks is non-trivial to predict, but it is
 very hard to argue that it will not lead to an increase in
 disk seeks.  (This is really a variant of the age old argument
 between jounaling filesystems and traditional filesystems)
 
 I can only recommend that you try :-)
 
 We need more ideas and more people trying out ideas.

I could not disagree more.  When it comes to nonstandard homebrewed
cryptosystems foisted off on unsuspecting users with a bundle of
claims of algorithm strength that they're not competent to evaluate
for themselves, we do not need more ideas, nor more people trying
out ideas; we need less.

Standard, widely analyzed cryptographic algorithms are good.

What Thor said.

It's instructive to quote from Vol. 2 of Knuth:

With all the precautions taken in Algorithm K, doesn't it seem
plausible that it would produce at least an infinite supply of
unbelievably random numbers?  No!  In fact, when this algorithm
was first put onto a computer, it almost immediately converged to
the 10-digit value 6065038420, which---by extraordinary
coincidence---is transformed into itself by the algorithm (see
Table 1).  With another starting number, the sequence began to
repeat after 7401 values, in a cyclic period of length 3178.

The moral to this story is that *random numbers should not be
generated with a method chosen at random*.  Some theory should be
used.

And Knuth was talking about a situation without an adversary.

I don't claim that there's a flaw.  I do assert that that I haven't seen a
threat model that would justify extra complexity.

Let me go one step further.  The cryptographic literature is full of
examples of broken protocols.  My favorite is the flaw in the original
Needham-Schroeder protocol, from 1978, that went unnoticed until 1996,
when an automated tool found it.  I should add that once pointed out, the
flaw is blindingly obvious -- but it went unnoticed for 18 years, in the
oldest protocol in the open literature.  Btw, in modern terms this
protocol is 3 lines long.

One more quote, this time a remarkably prescient one from that Needham
and Schroeder:

Finally, protocols such as those developed here are prone
to extremely subtle errors that are unlikely to be detected
in normal operation. The need for techniques to verify the
correctness of such protocols is great, and we encourage
those interested in such problems to consider this area.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: I'll show you mine if you show me, er, mine

2005-03-03 Thread Arash Partow

Reading the description from http://www.stealth-attacks.info/, it
seems that Peter might be right. I think this is just a re-hash of
already well established ideas.

In the case of a sending the password back to B, its a very similar
scenario to scene III where Athena suggests to Euripides that the
ticket life-time be once off (once use), Euripides goes it would
make using services on the network too difficult why not give it a
time stamp for the duration of the person's work day - a ticket
generating ticket. The play goes on from there, in the end Charon
which is then quickly renamed Kerberos is made. Then 1988 now 2005,
I would say thats about 13 years... :)


Name of play is Designing An Authentication System: A Dialogue In Four Scence 
by Bill Bryant



Arash

Be one who knows what they don't know,
Instead of being one who knows not what they don't know,
Thinking they know everything about all things.
http://www.partow.net




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: FW: ATM machine security

2005-03-03 Thread Lee Parkes
On Thu, Feb 24, 2005 at 02:24:38AM +1100, Chris Trott wrote:
 
 
 My Apologies to the original poster here, but does this seem like a little
 human engineering to anyone else? 

No problem. As it happens the project I'm working on isn't for ATMs but for
a system that shares some similarities: 

* Located in potentially hostile environments
* Subject to abuse and civil disobedience
* Use of crypto and anti tampering devices
* Compliance with a standard outlined by the police and understood in the
  legal system [1]

[1] The standards are 9 years old, but they were, at the time, in line with
what the financial industry used. However, as we all know, industry has moved
on and we are looking to see if the vendors are keeping up with better practice
than was available 9 years ago.

One of the main things I'm looking for is not so much *how* to break into an
ATM, but what happens when one is, for example, are the keys (if pre-shared)
deleted? One vendor of the system has the key encryption key (KEK) stored on
a smartcard, which won't be deleted if power is lost. This goes against the
police guidelines, but there may be a precedent in the financial industry that
says Hey, that's ok if you do X,Y and Z. My employer is looking for that sort
of information, especially if it is easily understood by lawyers. The financial
industry provided the best background for a legal system to understand.

 I mean sounds to me like your project is a search for weakness in the ATM
 system in preparation for an attack, or have I misjudged and you are the
 well meaning integrating party who have commissioned a number of 'suppliers'
 build a new ATM system (or ATM like system) while methodically attempting to
 avoid past errors. 

I work for a large global Professional Services company, but I prefer to keep
queries like this to my private email address. But, and you'll just _have_ to
trust me on this one, I don't do anything illegal because I know I'd get 
caught :) Besides, doing fun stuff and getting paid for it is far better than
being in jail..

 If you are accepting bids from suppliers who already produce ATMs ie NEC or
 the like, how would your request help ? would you be expecting them to
 subvert the existing standards to prevent attacks ?

See above, but basically the bidders need to be able to justify that the system
they are going to use has safeguards in place. We aren't talking about money
here, but there is a watertight need to maintain evidential integrity of the
data transmitted across the network. The network itself will be protected via
VPN *BUT* it will be assumed to be a hostile network, and potentially an
attacker could harvest enough packets to make a brute force attack viable.

 competing standards, differing levels of what would be considered secure
 etc. 

Standards, so many to choose from :)

 Just curious, or was it paranoid, - who said that ?

/me looks over his shoulder

:)

Lee

-- 
--
[EMAIL PROTECTED] DOC #25 GLASS #136
I Need A Reason To Stand Up And Fight
Need To Believe What I See - The Silver Drop - Mnemic

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]